Newtonian cause & effect thinking

Classical Newtonian physics taught us the principle of cause and effect.  For every observable effect on the physical universe there is a corresponding cause. For every observable cause there is a corresponding effect. Stated another way, for every action there is a reaction.

Sir Isaac Newton lived from 1642 to 1727.  

The work in general and special relativity of Albert Einstein (1879 - 1955) challenged much of Newton.

Later the quantum mechanics work of Max Born, Werner Heisenberg and Wolfgang Pauli in the early 1920s challenged the dominant Newton principals even further.

Little argument can be raised that much of what we knew about nature based on Newtonian physics was being radically reorganized by the latter stages of the 20th century.

Cause and effect thinking got a turbo boost in business during the 1980’s rise of total quality management.

As we launch into 2014 cause and effect thinking remains a dominant force in business and (of course) politics.

In cyber security, when we see a large scale compromise (effect), we seek to understand the corresponding cause.  Further than Newton, we must now seek to know who caused what, when and how.

Security professionals must then tell their bosses that defenses have been expanded/adjusted so “this won’t happen to us” or “this can’t happen to us again”.

If enterprise cyber defenders can ever be successful in overcoming the attackers offensive advantage, they must employ an even greater force of creativity than their adversaries.

Cyber defenders should restate the Newtonian principal.  SOME CAUSES CAN CREATE SOME EFFECTS SOME OF THE TIME.

The time is now for cyber defenders, architects and product developers to think WAY OUT OF THE BOX AT THE MACRO LEVEL.  WAY, WAY, WAY OUT OF THE BOX.

Wayne Gretzky ?

If you're like me you might get tired of hearing business executives talk about Wayne Gretzky. 

"We can't be chasing the puck; we've got a skate to where the puck will be." I’m sure  you have heard it too. Skating to where the puck will be is the best known quote attributed to Wayne Gretzky.

If you are a younger person (a Millenial as you might be called), you might not know that Wayne Gretzky was a hockey player.  He made it to the hockey hall of fame.  Wayne Gretzky retired from playing ice hockey in 1999.  

HOW MUCH OF WHAT WE LEARNED IN 1999 APPLIES TO BUSINESS TODAY?

"Skating to where the puck will be" became a popular business phrase in the late 90s but I'm shocked that some executives are still using it today.

Unfortunately,  although that phrase may be good for ice hockey, BUSINESS IS NOT ICE HOCKEY. 

You see because ice hockey operates in a closed system, the puck has a well defined area in which it can travel.  The puck can only go so many places.  NO UNEXPECTED EXTERNAL FORCES CAN INFLUENCE THE TRAVEL OF THE PUCK.  Nothing can enter that ice area from the outside to alter the dynamics of the game. 

Business operates in an open system. Business does not operate within closed system defined boundaries.   Why are we still talking about Wayne Gretzky when our businesses operate subject to open system dynamics?

The New York Times published an interesting article regarding how the open, instant and transparent communications culture of Millenials (younger people) is challenging our top-down, fear based business organizations.

It's worth your time to read it.

http://www.nytimes.com/2013/11/10/jobs/embracing-the-millennials-mind-set-at-work.html?ref=technology

SOMETIMES

Sometimes I encounter job related stress from projects or people.  Maybe you do too.
Sometimes I need to de-stress just to keep going.  Maybe you do too.
So I was de-stressing the other day and it occurred to me .........

Sometimes my family thinks I am the source of our money.
Sometimes I remember the real source of my money is my employer.
Sometimes I remember the real source of my employer's money is my employer's customers.
Sometimes I remember their money really comes from their customers.

What a revelation ! ! !

Yesterday I bought something from a company who is a customer of a customer of my employer.
So if the above is true, yesterday I triggered an (albeit small) economic cycle which will soon reward me (albeit small).

You're reading this may not be helpful to you, but my writing it was helpful to me.

Apologies.

Learning is not compulsory

Deming taught:

96% of all failure is systems failure. 

The remaining 4% is people failure.

Executive Management owns the system.

The system must include the customer.

Does any one know of a company that practices these beliefs?

COMPLEX SYSTEM DYNAMICS

Have you ever heard business managers and executives comment (and maybe even complain) about how complex things have become?  I sure know I have and I bet you have too.

Have you asked yourself what resources might be available and might be useful in better accommodating today's complexity?

Unfortunately most people are unaware of a very useful and proven body of new science/engineering referred to as complex systems dynamics.  It is a perfect adjunct to traditional linear engineering education and professional practice.  Ironically, the field originated at MIT back in the 1950's !

This body of mental model thinking brings profound complex problem solving leverage to our world.

People rarely ask me where/how I come up with some of the approaches I use.  We seem to be so busy looking for answers that we forget to ask questions.

Personally, private study and experimental application of complex system dynamics mental models have driven more success and advancement in my career than my Bachelor of Science in Mechanical Engineering, Master of Arts in Business Management or Master of Business Administration degrees.

I would refer those interested in learning more to http://www.pegasuscom.com/aboutpci.html

This is not a consulting company looking for your business. http://www.pegasuscom.com/aboutpci.htm is a resource site of available written learning materials.

Look over their website.  Please contact me if you have questions about where to start your learning journey in this remarkable field.

Proof of Synergy??

It's not really that relevant that I first encountered this mathematical argument on a white board in a 5 sided building in Arlington, Va.

A = B

A² = AB

A² - B² = AB - B²

(A - B) (A + B) = B(A - B)

A + B = B

B + B = B

2B = B

2 = 1

Don't just knee jerk and run the data thru the algorithm.  Remember that when complex systems fail, they fail in complex ways, so much so that their very failure may be hard to detect.

Serial Innovators

Serial innovators are not looking for opportunities. They look for concrete problems that cause potential customers significant pain--problems with solutions for which customers would be willing to pay. Serial innovators know they have an interesting problem when it meets three criteria:

Solving the problem has the potential for significant financial impact.

A solution likely can be found.

The problem and its solution are acceptable to both customers and management (it solves problems and fits strategy).

Serial Innovators follow Thomas Edison’s advice regarding innovating: “I don’t want to invent something that no one will buy.” They understand that technology is just a means to an end, the firm is in business to make money, and the only way they will be allowed to continue innovating is to develop a product that profitably solves customer problems.

4 methods for finding the right problem

Using Strategy to Identify Problems: Sometimes serial Innovators, like inventors, start investigating a problem area because the performance capabilities of a particular technology have reached a plateau, while performance demands keep increasing. To move to the next performance level requires shifting to a different technology.

Reframe Existing Problems: Serial Innovators have an uncanny ability to reframe existing problems. By immersing themselves in a problem, they see it through a different lens that allows them to capture aspects that had been previously overlooked.

Work Backward from a Far-in-the-Future Vision: Serial Innovators may work backward from a long-term goal to discover how tackling a series of short-term problems might allow them to ultimately produce, many decades later, that long-term vision. They would begin by developing a salable product based on the first technology step, providing a pathway of interesting (i.e., profit-producing) shorter-term problems to solve on the way toward their long-term end point.

Use Other Domains for Insight: Serial Innovators find the right problem by gathering insight from across multiple domains. Fred, a Serial Innovator in medical devices, routinely tracked university patent applications in his search for interesting problems. He initiated conversations with university Inventors to determine what they were doing and, more important, why. The “why” gave him insight into what problems these university Inventors thought were important. He also routinely visited university new venture incubators, investigating why they were trying to commercialize the various technologies--what problems were they trying to solve? When he found multiple academic researchers patenting and trying to commercialize different products to solve similar problems, he knew he was on track to finding an interesting problem to solve for the firm.

When a problem that has significant financial impact, a findable solution, a fit with the customer and the management, serial innovators shift from finding to understanding.

How to understand the problem deeply

First, prepare to understand:

In preparing to understand, serial innovators do not rely solely on themselves to define the problem and its unknowns. Part of their preparation includes assembling the people they need from the various domains that will help them completely understand the problem. Most frequently, they create a “team” of people in their network not formally assigned to the project, who they tap--sometimes individually, sometimes in groups--to help clarify various aspects of the problem. Then, with the help of their “team,” serial innovators define what they need to know.

Some serial innovators use the technique of asking the “why” question five times, “peeling the onion” to understand root causes. Another serial innovator puts together a “learning plan,” a simple document or presentation in which he and his team agree to and write down what they know as well as what they do not know about the problem, the project, and its objectives. Serial innovators believe there is more power in understanding what they do not know than what they already do, so they tend to focus on the “what don’t we know.”

Once they have defined the initial unknowns and assembled the resources necessary to eliminate them, they start the work of gathering and synthesizing information to eliminate the unknowns.

Second, think holistically: 

Serial Innovators gather information from a number of perspectives and then integrate across those multiple domains to understand completely. They speak of thinking holistically to “connect the dots,” the specific pieces of information associated with understanding the problem. But, in order to connect them, they first must “find the dots.” The task at hand is all about discovery. In their form of discovering, the real challenge is to view the problem from multiple perspectives, or domains. They think from the technical, customer, market, and competitive perspectives, melding information from each into an overall, holistic understanding of the problem and the various contexts in which it resides. Problems are viewed as more than technical or engineering challenges--they are multifaceted systems.

Innovators seek technical understanding but also recognize the importance of customer and end-consumer derived information in developing their understanding of a problem. At this point, the Serial Innovator is not trying to market a product--just trying to understand the problem from the customer’s perspective. Serial innovators perform their own market research instead of letting a separate division or outside firm conduct research for them. They need richness in the data, and they need to understand it personally. They cannot let other people interpret raw data for them.

In addition to technical and customer perspectives, serial innovators have a keen awareness of their competitor’s capabilities. Serial innovators understand how technology--both theirs and their competitors’--fits into the market. They understand the trade-offs between the two, and are able to find the right balance between their technology and the demands of the market. They then use the insight they acquire by intensely studying their customers to give them an advantage over the products their competitors have engineered.

During this “dot-finding” process, serial innovators focus primarily on understanding individual customer needs and technical possibilities and on maintaining a sense of what competitors are doing. However, they occasionally circle back into considering the general market trends to ensure that there still is a market for the problem they are trying to solve--and that someone else has not already commercialized a product to solve that problem. During this part of the process, serial innovators look at individual customers to understand specific needs. To understand market opportunities, on the other hand, they look at the market in aggregate.

As serial innovators refine their understanding of the problem from each perspective, they redefine their objectives and enhance their support network. Then, when they have gathered sufficient information across all relevant dimensions, serial innovators make connections across these disparate types of information that others just do not see. Their special capability to synthesize information allows them to reach the desired “Aha!” moment needed to solve the problem. We’ve labeled this capability “discernment”--keen insight into seeing the solution of a profoundly complex problem with a multitude of constraints.

When we have asked serial innovators about this capability, they typically shrug their shoulders; “I’ve been told it’s a gift,” is one reply. They don’t know how they do it either. We tentatively conclude that they have gathered enough breadth and depth of knowledge through their multifaceted investigation of each problem that they can make an experience-based intuitive leap. This leap is possible in part because of their capabilities, and in part because management has granted them enough time and sufficient resources to truly understand the problem at hand.

Excerpted from Serial Innovators: How Individuals Create And Deliver Breakthrough Innovations In Mature Firms by Abbie Griffin, Raymond L. Price and Bruce Vojak. (c) 2012 Board of Trustees of the Leland Stanford Jr. University, reprinted by permission of the publisher, www.sup.org. 

The Seven Dimensions of any Business

Larry Wilson

Founder Pecos River Learning Center

With an engineering degree and two MBA's, I "get" where executives are when it comes to their businesses.

Let's go a bit deeper than Peter Drucker's original six (6) functions of management: Planning, Organizing, Staffing, Directing, Controlling and Reporting.

IN ANY HIGH RATE OF CHANGE ENVIRONMENT THE QUESTIONS YOU ARE WILLING TO ASK LEAD TO BETTER ANSWERS.  Your least leverage is simply reacting to events.

Larry Wilson is one of the most amazing people I never met. His book "Changing the Game" is mandatory reading for my students of all ages.

Again drawing from complex systems study I find executives and managers don't realize there are seven (7) fundamental dimensions to any game; even the game of business.  These dimensions apply to so many things: growing a business, securing a business, developing employees, proper use of technology, the list is as long as one chooses to make it.

Understanding these seven (7) dimensions opens new opportunity for growth.

THINK ABOUT THESE SEVEN (7) . . . making the following substitutions:
GAME = YOUR BUSINESS; PLAYERS = YOUR EMPLOYEES

1) PURPOSE IN PLAYING THE GAME

2) INFORMATION AVAILABLE TO PLAYERS

3) PERMISSABLE ACTIONS OF THE PLAYERS

4) CRITERIA FOR PROGRESS IN THE GAME AND BY THE PLAYERS

5) IMPACT OF RANDOM EVENTS ON THE GAME

6) DISTRIBUTION OF THE REWARDS TO THE PLAYERS

7) CRITERIA FOR TERMINATING THE PLAYERS OR THE GAME

Jack Reacher "Life is full of decisions"

Tom Cruise

as Jack Reacher

"LIFE IS FULL of decisions and judgments and guesses, and it gets to the point where you’re so accustomed to making them you keep right on making them even when you don’t strictly need to.  

You get into a what if thing, and you start speculating about what you would do if some problem was yours instead of somebody else’s."

- Jack Reacher

TO MY KIDS

This will only take five minutes and it will be my last speech.   I say it's my last speech because I'm not sure my previous speeches worked and I'm out of material.  

The obligation of any parent is to pass on what they've learned.  I tried my best to do that.  Any New generation will always say "but the world is different now" and they are partially  right.  The parents are right too.  Although many things change very fast some things stay remarkably  constant. ( My parents turned out to be right more times than I  ever gave them credit for. )

Here's what I pass on:

1.   Experience is the best teacher - if you can survive the experience. 

2. The value of a college education cannot be overvalued or over appreciated.  Get one. 

3. Write down your goals for this week,  this month, this year and the next two years.  Keep them where you can see them.   Keep your goals simple and measurable.  Write down why you want to attain them.  

4.   Spend 70% of your time taking action to attain your goals.  Spend 20% of your time refining your goals.   Spend 10% of your time in rest and recreation.  Spend 0% of your time thinking about the past.  

5.  Time goes faster the older you get.  

6.   Treat others the way you would like to be treated. 

7.  When your parents are gone sometimes you will wish they were still around.  

8.  Of whatever money you make: save one third, spend one third and pay the government the other third. I didn't do this and I wish I would have

I'm not sure exactly what I learned in college but it proved to me that I could do it and it built my confidence in me. It also proved to others that I could do it so they had confidence in me. 

I'm not sure exactly what being a Captain in the Air Force accomplished but it proved to me that I could do it and it built my confidence in me. It also proved to others that I could do it so they had confidence in me.  

Love,  

Your Dad

Banks viewing DDOS as the new norm

Larger banks and financial institutions are now viewing defending against DDOS attacks as business as usual. Let's review a few basics before we examine that issue in more detail.

Way back when denial of service attacks first began, they were used as primarily a cyber crime extortion tactic.  The attackers would offer to cease attacking a website in return for cash payments.
That approach has somewhat faded although we do hear of extortion periodically against mainly on-line gaming sites.  There is little question that increased sophistication by law enforcement in tracking extortion payments has been a significant factor in reducing extortion as a criminal business driver.

It appears the groups responsible for denial of service attacks now fit the definition of hactivists and nation states.

BOTS and BOTNETS
The rise of the bot and the linking of bots into botnets under centralized command & control brought denial of service attacks to a new level.  Unfortunately I still find way too many executives confused about bots and botnets.  Let me propose simple definitions of bots and botnets that might help us understand where we are in this aspect of the complicated landscape of cybersecurity.

I think of a bot as a simple piece of malicious code, usually fairly small in size, that has found its way onto a personal computer at home, a host server within an enterprise computing infrastructure or a server at a hosting company.  Unfortunately bots are now being found on smartphones, tablets, digital security cameras and internet ready TV's.  Any digital device attached to a network can store a bot.  Readers will do well to remember that the vast majority of bots remain undetectable to common anti-virus scanning.

Although many bots do carry some rudimentary capability to probe their host environment, by and large the dominant capability of most bots is to communicate with and receive instructions from a central command and control server.  When multiple bots do that they have become part of a botnet.  Botnets being instructed by a command and control server to flood a website with thousands if not millions of web page requests per second, constitute a distributed (many bots) denial of service (DDOS) attack.  DDOS constitutes an ongoing problem for major financial institutions.  

PAST, PRESENT, FUTURE
Prior to 2012, most DDOS attacks against financial institutions lasted several hours and may have extended to several days at most.  Beginning around mid 2012 the duration of DDOS attacks significantly elongated.

Some evidence exists that compromised or organized crime associated hosting facilities (read lots of computing power . . . . lots of communications bandwidth) in central Europe and Asia have become the attack origin of choice for DDOS attackers.   Given access to or control of larger computing and bandwidth, Botnet operators devised ways of very rapidly populating very larger numbers of bots within these hosting facilities.

Of additional concern is the widespread availability of consumer cyber crime tools, including toolsets capability of launching or participating in a DDOS attack.

Large financial institutions are well advised to expect, anticipate and make advanced preparations to defend against DDOS attacks on an ongoing basis for the foreseeable future.

2013

So here we are 2013.  As usual I am getting some invitations to keynote a couple cyber events.  I am actually thinking I might do a few this year.  Anyway, belated Happy New Year.

The intent of this blog is to be provocative.  That is, ..... to provoke defensive cyber professionals into challenging their dominant paradigms around security.  Remember a paradigm is what we think about something before we think about it.

Think along with me for a second.

Have you ever made a mistake?  In anything . . . . work, family, relationships, neighbors ?
Raise your hand if you have ever made a mistake. (Be honest).

Ok.  So after you made a mistake, did you ever say to yourself, "No matter what happens I swear I will never make that mistake again?"  (Yea.  You probably did that at least one time in your life.  I know I have.)

Did you ever - after swearing you wouldn't do it ever again - go on and make the exact same mistake a second time?   Yea. Crazy.  I have.  Just ask my wife or kids!

So trying harder and promising ourselves that we won't repeat our mistakes DOESN'T WORK.  We usually follow that up with Laying Blame or Justifying our mistakes based on some external event or external force.  We then try Massive Action to try to cloud our mistakes with tons of activity.

You see, you can be taking massive action in cyber defense, but if one is on the wrong track, it doesn't matter what speed you're going.  You won't get there!

We know from the writings of R. Buckminster Fuller, that all know cases of biological, sociological and technological extinction flow from a common root cause.  That root cause of extinction is OVER SPECIALIZATION.  Few would argue with me that cyber security is highly specialized.

When one inbreeds specialization, one outbreeds ADAPTABILITY.  (Star Trekkies, remember The Borg!)

The antidote to over specialized cyber thinking/doing is COMPREHENSIVE cyber thinking/doing.  COMPREHENSIVE cyber thinking/doing considers everything in all 7 layers of the OSI model from the mobile edge through the software defined private or public data center.  I have members of my technical team working on just such comprehensive cyber operating models, liking risk assessments to security architectures to security operations to proactive threat analyses and action taking to the business continuity and disaster recovery plan.

START THINKING ABOUT BUILDING SMALER PERIMETERS AROUND CRITICAL ASSETS.  Th e dominant paradigm of defending all assets via a common perimeter has been rendered as totally OBSOLETE.